I have a small 'webserver' script written in perl, which needs to run as root, because it performs certain actions in parts of the script which need to be run as root.

However, i also need to start another perl script from this master 'webserver'. At the moment i am using: $otherscript=`perl script.cgi`;

This means however, that the new script also runs as root. This is a problem, since its a security risk to have it running as root (it's a gameserver start script). How do i keep the webserver running as root, but allow it to create processes which are run as a different user. Apache can do it (not that it's in perl), so it must be possible.

Having stuff run as root from a web server is always a bit dangerous and you need to be really sure that you're not opening up your web server to attack.

Having said that, the easiest solution is probably to use 'sudo' and to have the appropriate configuration in the /etc/sudoers file to allow your web server user to execute just the required commands as root without a password.

The master server has got some perl scripts that tell the slave server (via SOCKETS:INET and the Webserver script on the slave servers) to perform certain actions (like start/restart gaming servers).

So, for example. On the main server, if i want to restart a remote game server, the main server will use Sockets INET to communicate with a port on the GAMING (Slave) server to tell it to restart.

The webserver on slave checks the key to make sure that just anyone is sending data, and then executes:

system('./home/username/control restart'); This restarts the game server. However, the game server is now running as root. Since there are many 5 or 6 game servers per machine, i would like the game server to be run as it's owners username.

Is this possible. The things that the webserver needs to do is quite lenghtly, so putting them all in sudoers will basically include everything :-), from adduser/userdel, reboot, cp to other directorys, mv etc etc.

The only option i could think of at the moment, was to create another script with a 'listen' port in every users directory, and have that running as the user, and then the webserver contacts that script to perform the action. But that's very long winded :-(.